P
US9769159B2ActiveUtilityPatentIndex 66

Cookie optimization

Assignee: MICROSOFT CORPPriority: Dec 14, 2012Filed: Dec 14, 2012Granted: Sep 19, 2017
Est. expiryDec 14, 2032(~6.5 yrs left)· nominal 20-yr term from priority
Inventors:BIKKULA RAVIBEYER MICHAELKONERU KARUNAGOLDIAN JEFFREY
H04L 63/0815H04L 67/02H04L 63/0807H04L 63/0853
66
PatentIndex Score
6
Cited by
13
References
20
Claims

Abstract

Disclosed herein is a system and method for optimizing a cookie or token in a web service or other claims based domain system. A user presents an identity token to the domain system which verifies the identity claim as authentic and then determines what accounts the user has access to on the domain. The user is issued an intermediate token by the system which includes the locations of the accounts the user has access to. The user then selects the account they wish to interact with and receives an account token back to the user for the specific account, including any of the privileges the user has on the account. The account token also includes information that the user has multiple accounts on the domain. The user is able to switch accounts on the domain system without having to revalidate their credentials to the domain system.

Claims

exact text as granted — not AI-modified
The invention claimed is: 
     
       1. A computing device comprising:
 at least one memory and at least one processor, wherein the at least one memory and the at least one processor are respectively configured to store and execute instructions including instructions for causing the computing device to perform operations, the operations including:
 receiving an identity token that is associated with a user; 
 determining a list of candidate computing accounts for the user on a given computing domain based on information contained within the identity token; 
 determining computing accounts, from the list of candidate computing accounts, that the user has access to and the user's permission level on each of the computing accounts from the list of candidate computing accounts that the user has access to; 
 in response to determining the computing accounts, generating an intermediate token for the user, the intermediate token including an identity claim for the user and a list of computing accounts that the user was determined to have access to; 
 generating an account token for an account selected from the list of computing accounts that the user was determined to have access to; 
 providing the account token to another computing device; and 
 in response to a request, authorizing a holder of the account token to access the account selected from the list of computing accounts that the user was determined to have access to. 
 
 
     
     
       2. The computing device of  claim 1 , wherein the operations further include:
 parsing the received identity claim for an identity of a computing domain. 
 
     
     
       3. The computing device of  claim 2 , wherein the to operations further include:
 parsing the received identity claim for a personally unique identifier for the user on the computing domain. 
 
     
     
       4. The computing device of  claim 1 , wherein the operations further include:
 determining a location of a service having information regarding a particular computing account to which the user may have access. 
 
     
     
       5. The computing device of  claim 4 , wherein the operations further include:
 querying the determined service with a personally unique identifier for the user; and 
 receiving an indication of whether the user has access to a particular computing account. 
 
     
     
       6. The computing device of  claim 1 , wherein the operations further include:
 converting the account token for the user into the intermediate token for the user. 
 
     
     
       7. The computing device of  claim 1 , wherein the operations further include:
 receiving the intermediate token from the user; and 
 converting the intermediate token into the account token. 
 
     
     
       8. The computing device of  claim 1 , wherein the account token includes a management  claim 1 , the management claim comprising identifying information uniquely identifying the user and an indication that the user has multiple accounts on the computing domain. 
     
     
       9. The computing device of  claim 1 , wherein the operations further include:
 receiving a user name and password from a user; and 
 providing the identity token to a user in response to receiving the user name and the password. 
 
     
     
       10. A method comprising:
 receiving, by a computing device, an identity token for a user; 
 extracting a domain identifier for at least one computing domain from the identity token, wherein the domain identifier is contained within a portion of the identity token; 
 determining a list of locations of computing accounts that the user has permission to access based at least in part on the extracted domain identifier; 
 generating an intermediate token for the user, the intermediate token indicating the determined list of locations of computing accounts; 
 generating an account token for an account selected from the computing accounts that the user has permission to access; 
 transmitting, by the computing device, the generated account token to another computing device, the generated account token including an indication that the user has multiple accounts; and 
 authorizing a holder of the account token to access the account selected from the computing accounts that the user has permission to access. 
 
     
     
       11. The method of  claim 10 , further comprising:
 validating the received identity token; and 
 extracting, by the computing device, a personally unique identifier for the user from the identity token. 
 
     
     
       12. The method of  claim 10 , wherein determining the list of computing accounts comprises:
 obtaining a list of candidate accounts for the user on the at least one computing domain; 
 querying if the user is authorized to access a computing account from the list of candidate accounts; and 
 if the user is authorized to access the computing account from the list of candidate accounts adding a location of that computing account to the determined list of locations of accounts. 
 
     
     
       13. The method of  claim 12 , wherein the querying comprises:
 comparing a personally unique identifier for the user against a list of authorized users on the computing account; and 
 returning an indication that the user is authorized to access the computing account if the user is authorized. 
 
     
     
       14. The method of  claim 13 , wherein returning the indication further includes returning an indication of a level of access the user has to the computing account if the user is authorized to access the computing account. 
     
     
       15. The method of  claim 10 , further comprising:
 receiving an indication of a selection of a computing account from the computing accounts that the user has permission to access. 
 
     
     
       16. The method of  claim 10 , further comprising:
 receiving an indication a request to change to a different one of the computing accounts from the computing accounts that the user has permission to access; 
 converting the account token into the intermediate token; 
 receiving an indication of a new computing account from the computing accounts that the user has permission to access; and 
 generating a new account token for the user, the new account token for accessing the new computing account. 
 
     
     
       17. The method of  claim 10 , wherein the computing account token includes a management claim for the selected computing account and an indication that the user has access to multiple computing accounts on the at least one computing domain. 
     
     
       18. A method, comprising:
 receiving, by a computing device, an identity token that is associated with a user; 
 determining a list of candidate computing accounts for the user on a given computing domain based on information contained within the identity token; 
 determining computing accounts, from the list of candidate computing accounts, that the user has access to and the user's permission level on each of the computing accounts from the list of candidate computing accounts that the user has access to; 
 in response to determining the computing accounts, generating an intermediate token for the user, the intermediate token including an identity claim for the user and a list of computing accounts that the user was determined to have access to; 
 generating an account token for an account selected from the list of computing accounts that the user was determined to have access to; 
 providing the account token to another computing device; and 
 in response to a request, authorizing a holder of the account token to access the account selected from the list of computing accounts that the user was determined to have access to. 
 
     
     
       19. The method of  claim 18 , wherein further comprising:
 determining a location of a service having information regarding a particular computing account to which the user may have access; 
 querying the determined service with a personally unique identifier for the user; and 
 receiving an indication of whether the user has access to a particular computing account. 
 
     
     
       20. The method of  claim 18 , wherein the account token includes a management claim, the management claim comprising identifying information uniquely identifying the user and an indication that the user has multiple accounts on the computing domain.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.